A loss of security at the RAW application meet publicly exposed personal data and its users’ private locations data, Techcrunch found.
The data exposed included user screens names, birth dates, dating and sexual preferences related to the RAW application, as well as the location of users. Some of the location data included coordinates that were specific enough to find users of raw apps with precision road levels.
Raw, which began in 2023, is a meeting application that claims to provide more real interactions with others in part asking users to upload daily selfie pictures. The company does not find out how many users there are, but ranking its apps on the Google Play Store records more than 500,000 Android downloads to date.
News of loss of security comes the same week that the beginning announced an extension of the hardware of his appliance, Raw Ring, an inaccessible wearing device claiming to allow app users to trace their partner’s heartbeat and other sensor data to obtain knowledge created by him.
Despite the moral and ethical issues of tracking romantic partners and the risks of emotional supervision, raw claims on its website, and its privacy policy that its app, and its unlawful equipment, both use encryption from bottom to bottom, a safety feature that prevents anyone other than users.
When we tried the app this week, which included an application network traffic analysis, Techcrunch found no evidence that the app used encryption from bottom to bottom. Instead, we found that the app was publicly pouring data on its users for anyone with an online browser.
Raw adjusted the data exposure Wednesday, shortly after Techcrunch contacted the company with error details.
“All the last points previously exposed have been provided, and we have implemented additional protection measures to prevent similar issues in the future,” said Marina Anderson, co -founder of RAW Dating app, for Techcrunch by email.
When asked by Techcrunch, Anderson confirmed that the company had not carried out a third -party security audit of its application, adding that “its concentration remains in building a high quality product and significantly engaged with our growing community.”
Anderson would not commit to proactively notifying the affected users that their information was exposed, but said the company would “submit a detailed report to the relevant data protection authorities according to the applicable regulations”.
It is not known how long the app is publicly pouring its users’ data. Anderson said the company was still investigating the incident.
Regarding his claim that the app uses encryption from bottom to bottom, Anderson said Raw “uses encryption in transit and implements entry controls for sensitive data within our infrastructure. Further steps will be clear after fully analyzing the situation.”
Anderson would not say, when asked if the company plans to fix its privacy policy, and Anderson did not respond to a subsequent e -mail from Techcrunch.
As we found the data exposed
Techcrunch revealed the error on Wednesday during a brief application test. As part of our test, we installed the RAW Dating app on a virtual Android device, which allows us to use the app without having to provide data in the real world, such as our physical location.
We created a new user account with kitchen data, such as a name and date of birth, and configured the location of our virtual device to appear as if we were in a museum in Mountain View, California. When the app required the location of our virtual device, we allowed the application to be entry into our exact location in a few meters.
We have used a network traffic analysis tool to monitor and inspect the data flowing inside and outside the RAW application, which allowed us to understand how the app works and what types of data the app was loading for its users.
Techcrunch revealed data exposure within minutes from the use of the RAW application. When we first uploaded the app, we found that it was withdrawing user profile information directly from the company’s servers, but the server was not protecting the data returned with any certificate.
In practice, this meant that someone could access any other user’s private information using an online browser to visit the exposed server web address – api.raw.app/users/ followed by a unique 11-digit number corresponding to another application user. Changing figures to correspond to each other user’s 11-digit identifier returned private information from this user’s profile, including their location data.
This type of weakness is recognized as an unsafe reference direct object, or Idor, a type of error that can allow someone to enter or modify the data on someone else’s server due to the lack of proper security checks with the user to enter the data.
As we have explained earlier, Idor errors are similar to one key for a private mailbox, for example, but that key can unlock any other mailbox on the same road. As such, idol errors can be easily used and in some cases numbered, allowing entry into registration after registration of user data.
The US Internet Security Agency CISA has long warned of the risks posed by idolatry errors, including the ability to enter the typical “scale” sensitive data. As part of her safe design initiative, CISA said in a 2023 advice that developers should ensure that their applications carry out appropriate certificate and authorization checks.
Since Raw fixed the error, the exposed server no longer returns the user’s user data.
